qemu/qapi/opts-visitor.c
Andrey Shinkevich 863f195fa8 make check-unit: use after free in test-opts-visitor
In the struct OptsVisitor, the 'repeated_opts' member points to a list
in the 'unprocessed_opts' hash table after the list has been destroyed.
A subsequent call to visit_type_int() references the deleted list.
It results in use-after-free issue reproduced by running the test case
under the Valgrind: valgrind tests/test-opts-visitor.
A new mode ListMode::LM_TRAVERSED is declared to mark the list
traversal completed.

Suggested-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Andrey Shinkevich <andrey.shinkevich@virtuozzo.com>
Message-Id: <1565024586-387112-1-git-send-email-andrey.shinkevich@virtuozzo.com>
2019-09-24 11:03:44 +02:00

589 lines
16 KiB
C

/*
* Options Visitor
*
* Copyright Red Hat, Inc. 2012-2016
*
* Author: Laszlo Ersek <lersek@redhat.com>
*
* This work is licensed under the terms of the GNU LGPL, version 2.1 or later.
* See the COPYING.LIB file in the top-level directory.
*
*/
#include "qemu/osdep.h"
#include "qapi/error.h"
#include "qemu/cutils.h"
#include "qapi/qmp/qerror.h"
#include "qapi/opts-visitor.h"
#include "qemu/queue.h"
#include "qemu/option_int.h"
#include "qapi/visitor-impl.h"
enum ListMode
{
LM_NONE, /* not traversing a list of repeated options */
LM_IN_PROGRESS, /*
* opts_next_list() ready to be called.
*
* Generating the next list link will consume the most
* recently parsed QemuOpt instance of the repeated
* option.
*
* Parsing a value into the list link will examine the
* next QemuOpt instance of the repeated option, and
* possibly enter LM_SIGNED_INTERVAL or
* LM_UNSIGNED_INTERVAL.
*/
LM_SIGNED_INTERVAL, /*
* opts_next_list() has been called.
*
* Generating the next list link will consume the most
* recently stored element from the signed interval,
* parsed from the most recent QemuOpt instance of the
* repeated option. This may consume QemuOpt itself
* and return to LM_IN_PROGRESS.
*
* Parsing a value into the list link will store the
* next element of the signed interval.
*/
LM_UNSIGNED_INTERVAL, /* Same as above, only for an unsigned interval. */
LM_TRAVERSED /*
* opts_next_list() has been called.
*
* No more QemuOpt instance in the list.
* The traversal has been completed.
*/
};
typedef enum ListMode ListMode;
struct OptsVisitor
{
Visitor visitor;
/* Ownership remains with opts_visitor_new()'s caller. */
const QemuOpts *opts_root;
unsigned depth;
/* Non-null iff depth is positive. Each key is a QemuOpt name. Each value
* is a non-empty GQueue, enumerating all QemuOpt occurrences with that
* name. */
GHashTable *unprocessed_opts;
/* The list currently being traversed with opts_start_list() /
* opts_next_list(). The list must have a struct element type in the
* schema, with a single mandatory scalar member. */
ListMode list_mode;
GQueue *repeated_opts;
/* When parsing a list of repeating options as integers, values of the form
* "a-b", representing a closed interval, are allowed. Elements in the
* range are generated individually.
*/
union {
int64_t s;
uint64_t u;
} range_next, range_limit;
/* If "opts_root->id" is set, reinstantiate it as a fake QemuOpt for
* uniformity. Only its "name" and "str" fields are set. "fake_id_opt" does
* not survive or escape the OptsVisitor object.
*/
QemuOpt *fake_id_opt;
};
static OptsVisitor *to_ov(Visitor *v)
{
return container_of(v, OptsVisitor, visitor);
}
static void
destroy_list(gpointer list)
{
g_queue_free(list);
}
static void
opts_visitor_insert(GHashTable *unprocessed_opts, const QemuOpt *opt)
{
GQueue *list;
list = g_hash_table_lookup(unprocessed_opts, opt->name);
if (list == NULL) {
list = g_queue_new();
/* GHashTable will never try to free the keys -- we supply NULL as
* "key_destroy_func" in opts_start_struct(). Thus cast away key
* const-ness in order to suppress gcc's warning.
*/
g_hash_table_insert(unprocessed_opts, (gpointer)opt->name, list);
}
/* Similarly, destroy_list() doesn't call g_queue_free_full(). */
g_queue_push_tail(list, (gpointer)opt);
}
static void
opts_start_struct(Visitor *v, const char *name, void **obj,
size_t size, Error **errp)
{
OptsVisitor *ov = to_ov(v);
const QemuOpt *opt;
if (obj) {
*obj = g_malloc0(size);
}
if (ov->depth++ > 0) {
return;
}
ov->unprocessed_opts = g_hash_table_new_full(&g_str_hash, &g_str_equal,
NULL, &destroy_list);
QTAILQ_FOREACH(opt, &ov->opts_root->head, next) {
/* ensured by qemu-option.c::opts_do_parse() */
assert(strcmp(opt->name, "id") != 0);
opts_visitor_insert(ov->unprocessed_opts, opt);
}
if (ov->opts_root->id != NULL) {
ov->fake_id_opt = g_malloc0(sizeof *ov->fake_id_opt);
ov->fake_id_opt->name = g_strdup("id");
ov->fake_id_opt->str = g_strdup(ov->opts_root->id);
opts_visitor_insert(ov->unprocessed_opts, ov->fake_id_opt);
}
}
static void
opts_check_struct(Visitor *v, Error **errp)
{
OptsVisitor *ov = to_ov(v);
GHashTableIter iter;
GQueue *any;
if (ov->depth > 1) {
return;
}
/* we should have processed all (distinct) QemuOpt instances */
g_hash_table_iter_init(&iter, ov->unprocessed_opts);
if (g_hash_table_iter_next(&iter, NULL, (void **)&any)) {
const QemuOpt *first;
first = g_queue_peek_head(any);
error_setg(errp, QERR_INVALID_PARAMETER, first->name);
}
}
static void
opts_end_struct(Visitor *v, void **obj)
{
OptsVisitor *ov = to_ov(v);
if (--ov->depth > 0) {
return;
}
g_hash_table_destroy(ov->unprocessed_opts);
ov->unprocessed_opts = NULL;
if (ov->fake_id_opt) {
g_free(ov->fake_id_opt->name);
g_free(ov->fake_id_opt->str);
g_free(ov->fake_id_opt);
}
ov->fake_id_opt = NULL;
}
static GQueue *
lookup_distinct(const OptsVisitor *ov, const char *name, Error **errp)
{
GQueue *list;
list = g_hash_table_lookup(ov->unprocessed_opts, name);
if (!list) {
error_setg(errp, QERR_MISSING_PARAMETER, name);
}
return list;
}
static void
opts_start_list(Visitor *v, const char *name, GenericList **list, size_t size,
Error **errp)
{
OptsVisitor *ov = to_ov(v);
/* we can't traverse a list in a list */
assert(ov->list_mode == LM_NONE);
/* we don't support visits without a list */
assert(list);
ov->repeated_opts = lookup_distinct(ov, name, errp);
if (ov->repeated_opts) {
ov->list_mode = LM_IN_PROGRESS;
*list = g_malloc0(size);
} else {
*list = NULL;
}
}
static GenericList *
opts_next_list(Visitor *v, GenericList *tail, size_t size)
{
OptsVisitor *ov = to_ov(v);
switch (ov->list_mode) {
case LM_TRAVERSED:
return NULL;
case LM_SIGNED_INTERVAL:
case LM_UNSIGNED_INTERVAL:
if (ov->list_mode == LM_SIGNED_INTERVAL) {
if (ov->range_next.s < ov->range_limit.s) {
++ov->range_next.s;
break;
}
} else if (ov->range_next.u < ov->range_limit.u) {
++ov->range_next.u;
break;
}
ov->list_mode = LM_IN_PROGRESS;
/* range has been completed, fall through in order to pop option */
case LM_IN_PROGRESS: {
const QemuOpt *opt;
opt = g_queue_pop_head(ov->repeated_opts);
if (g_queue_is_empty(ov->repeated_opts)) {
g_hash_table_remove(ov->unprocessed_opts, opt->name);
ov->repeated_opts = NULL;
ov->list_mode = LM_TRAVERSED;
return NULL;
}
break;
}
default:
abort();
}
tail->next = g_malloc0(size);
return tail->next;
}
static void
opts_check_list(Visitor *v, Error **errp)
{
/*
* Unvisited list elements will be reported later when checking
* whether unvisited struct members remain.
*/
}
static void
opts_end_list(Visitor *v, void **obj)
{
OptsVisitor *ov = to_ov(v);
assert(ov->list_mode == LM_IN_PROGRESS ||
ov->list_mode == LM_SIGNED_INTERVAL ||
ov->list_mode == LM_UNSIGNED_INTERVAL ||
ov->list_mode == LM_TRAVERSED);
ov->repeated_opts = NULL;
ov->list_mode = LM_NONE;
}
static const QemuOpt *
lookup_scalar(const OptsVisitor *ov, const char *name, Error **errp)
{
if (ov->list_mode == LM_NONE) {
GQueue *list;
/* the last occurrence of any QemuOpt takes effect when queried by name
*/
list = lookup_distinct(ov, name, errp);
return list ? g_queue_peek_tail(list) : NULL;
}
if (ov->list_mode == LM_TRAVERSED) {
error_setg(errp, "Fewer list elements than expected");
return NULL;
}
assert(ov->list_mode == LM_IN_PROGRESS);
return g_queue_peek_head(ov->repeated_opts);
}
static void
processed(OptsVisitor *ov, const char *name)
{
if (ov->list_mode == LM_NONE) {
g_hash_table_remove(ov->unprocessed_opts, name);
return;
}
assert(ov->list_mode == LM_IN_PROGRESS);
/* do nothing */
}
static void
opts_type_str(Visitor *v, const char *name, char **obj, Error **errp)
{
OptsVisitor *ov = to_ov(v);
const QemuOpt *opt;
opt = lookup_scalar(ov, name, errp);
if (!opt) {
*obj = NULL;
return;
}
*obj = g_strdup(opt->str ? opt->str : "");
/* Note that we consume a string even if this is called as part of
* an enum visit that later fails because the string is not a
* valid enum value; this is harmless because tracking what gets
* consumed only matters to visit_end_struct() as the final error
* check if there were no other failures during the visit. */
processed(ov, name);
}
/* mimics qemu-option.c::parse_option_bool() */
static void
opts_type_bool(Visitor *v, const char *name, bool *obj, Error **errp)
{
OptsVisitor *ov = to_ov(v);
const QemuOpt *opt;
opt = lookup_scalar(ov, name, errp);
if (!opt) {
return;
}
if (opt->str) {
if (strcmp(opt->str, "on") == 0 ||
strcmp(opt->str, "yes") == 0 ||
strcmp(opt->str, "y") == 0) {
*obj = true;
} else if (strcmp(opt->str, "off") == 0 ||
strcmp(opt->str, "no") == 0 ||
strcmp(opt->str, "n") == 0) {
*obj = false;
} else {
error_setg(errp, QERR_INVALID_PARAMETER_VALUE, opt->name,
"on|yes|y|off|no|n");
return;
}
} else {
*obj = true;
}
processed(ov, name);
}
static void
opts_type_int64(Visitor *v, const char *name, int64_t *obj, Error **errp)
{
OptsVisitor *ov = to_ov(v);
const QemuOpt *opt;
const char *str;
long long val;
char *endptr;
if (ov->list_mode == LM_SIGNED_INTERVAL) {
*obj = ov->range_next.s;
return;
}
opt = lookup_scalar(ov, name, errp);
if (!opt) {
return;
}
str = opt->str ? opt->str : "";
/* we've gotten past lookup_scalar() */
assert(ov->list_mode == LM_NONE || ov->list_mode == LM_IN_PROGRESS);
errno = 0;
val = strtoll(str, &endptr, 0);
if (errno == 0 && endptr > str && INT64_MIN <= val && val <= INT64_MAX) {
if (*endptr == '\0') {
*obj = val;
processed(ov, name);
return;
}
if (*endptr == '-' && ov->list_mode == LM_IN_PROGRESS) {
long long val2;
str = endptr + 1;
val2 = strtoll(str, &endptr, 0);
if (errno == 0 && endptr > str && *endptr == '\0' &&
INT64_MIN <= val2 && val2 <= INT64_MAX && val <= val2 &&
(val > INT64_MAX - OPTS_VISITOR_RANGE_MAX ||
val2 < val + OPTS_VISITOR_RANGE_MAX)) {
ov->range_next.s = val;
ov->range_limit.s = val2;
ov->list_mode = LM_SIGNED_INTERVAL;
/* as if entering on the top */
*obj = ov->range_next.s;
return;
}
}
}
error_setg(errp, QERR_INVALID_PARAMETER_VALUE, opt->name,
(ov->list_mode == LM_NONE) ? "an int64 value" :
"an int64 value or range");
}
static void
opts_type_uint64(Visitor *v, const char *name, uint64_t *obj, Error **errp)
{
OptsVisitor *ov = to_ov(v);
const QemuOpt *opt;
const char *str;
unsigned long long val;
char *endptr;
if (ov->list_mode == LM_UNSIGNED_INTERVAL) {
*obj = ov->range_next.u;
return;
}
opt = lookup_scalar(ov, name, errp);
if (!opt) {
return;
}
str = opt->str;
/* we've gotten past lookup_scalar() */
assert(ov->list_mode == LM_NONE || ov->list_mode == LM_IN_PROGRESS);
if (parse_uint(str, &val, &endptr, 0) == 0 && val <= UINT64_MAX) {
if (*endptr == '\0') {
*obj = val;
processed(ov, name);
return;
}
if (*endptr == '-' && ov->list_mode == LM_IN_PROGRESS) {
unsigned long long val2;
str = endptr + 1;
if (parse_uint_full(str, &val2, 0) == 0 &&
val2 <= UINT64_MAX && val <= val2 &&
val2 - val < OPTS_VISITOR_RANGE_MAX) {
ov->range_next.u = val;
ov->range_limit.u = val2;
ov->list_mode = LM_UNSIGNED_INTERVAL;
/* as if entering on the top */
*obj = ov->range_next.u;
return;
}
}
}
error_setg(errp, QERR_INVALID_PARAMETER_VALUE, opt->name,
(ov->list_mode == LM_NONE) ? "a uint64 value" :
"a uint64 value or range");
}
static void
opts_type_size(Visitor *v, const char *name, uint64_t *obj, Error **errp)
{
OptsVisitor *ov = to_ov(v);
const QemuOpt *opt;
int err;
opt = lookup_scalar(ov, name, errp);
if (!opt) {
return;
}
err = qemu_strtosz(opt->str ? opt->str : "", NULL, obj);
if (err < 0) {
error_setg(errp, QERR_INVALID_PARAMETER_VALUE, opt->name,
"a size value");
return;
}
processed(ov, name);
}
static void
opts_optional(Visitor *v, const char *name, bool *present)
{
OptsVisitor *ov = to_ov(v);
/* we only support a single mandatory scalar field in a list node */
assert(ov->list_mode == LM_NONE);
*present = (lookup_distinct(ov, name, NULL) != NULL);
}
static void
opts_free(Visitor *v)
{
OptsVisitor *ov = to_ov(v);
if (ov->unprocessed_opts != NULL) {
g_hash_table_destroy(ov->unprocessed_opts);
}
g_free(ov->fake_id_opt);
g_free(ov);
}
Visitor *
opts_visitor_new(const QemuOpts *opts)
{
OptsVisitor *ov;
assert(opts);
ov = g_malloc0(sizeof *ov);
ov->visitor.type = VISITOR_INPUT;
ov->visitor.start_struct = &opts_start_struct;
ov->visitor.check_struct = &opts_check_struct;
ov->visitor.end_struct = &opts_end_struct;
ov->visitor.start_list = &opts_start_list;
ov->visitor.next_list = &opts_next_list;
ov->visitor.check_list = &opts_check_list;
ov->visitor.end_list = &opts_end_list;
ov->visitor.type_int64 = &opts_type_int64;
ov->visitor.type_uint64 = &opts_type_uint64;
ov->visitor.type_size = &opts_type_size;
ov->visitor.type_bool = &opts_type_bool;
ov->visitor.type_str = &opts_type_str;
/* type_number() is not filled in, but this is not the first visitor to
* skip some mandatory methods... */
ov->visitor.optional = &opts_optional;
ov->visitor.free = opts_free;
ov->opts_root = opts;
return &ov->visitor;
}